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CLAIMS 

1. A device for checking logical software engines 
for controlling and commanding plants, particularly 
railway plants, particularly station plants, conprlslng 
at least a conputer with at least a central processing 
unit and at least a memory for loading and executing 
programs : 

a logical engine for commanding a plant, 
particularly a station plant, being loaded or loadable 
In said memory for Its execution, which plant conqprlses 
a plurality of operating units for actuating and/or 
detection and/ or measurement and/or signalling, so- 
called wayside equipments, which units are provided for 
receiving command signals and for transmitting control 
signals about the operating condition, and which 
logical software engine reads control signals given by 
the operating units for actuating and/or detection 
and/ or measurement and/or signalling and It processes 
command signals of said operating units basing on an 
operation protocol of the plant Itself, 

characterised In that 

in the computer memory a plant software simulation 
program that is to be controlled and coxamanded by the 
control and command logical program Is loaded or 
loadable and It Is executable by the computer Itself 
and which simulation program reproduces exactly the 
plant structure and the operating modes of operating 
units provided In said plant. 

2. A device according to claim 1, characterised in 
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that, the sinralation of plant structure and of operating 
units associated thereto, such as track circuits to 
detect the presence of the train, switch points 
actuators, signalling actuators and other different 
5 units is represented in the simulation program by 
Boolean algorithms, variables associated to said 
algorithms being univocally defined to represent the 
control signals of various state or operation 
conditions of several operating units and the command 
10 signals for commutating and/or maintaining the state or 
operating conditions of said several operating units. 

3. A device according to claims 1 or 2, 
characterised in that means for displaying the image of 
plant behaviour are provided under the control of the 

15 control and command logical program as variable lists 
univocally associated to various operating units as 
report files wherein various operating units and the 
associated state or command variables are listed. 

4. A device according to one or more of the 
20 preceding claims, characterised in that the simulation 

program cosprises means for setting starting operating 
conditions of the plant and/or even anomalous setting 
situations of plant operating units to check the 
reaction of the plant to these conditions. 

25 5. A device according to one or more of the 

preceding claims, characterised in that to each plant 
operating unit and/or to each important structural 
element and/or at least to one or more areas of the 
plant and/or to the whole plant can be univocally 

30 associated a virtual image of the operating unit and/or 
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of the plant structural element and/or of the area or 
areas of the plant and/or of the whole plant which 
iaage is generated by a graphic program loaded or 
loadable and/or executable by the coaputer of the 
5 device and lAi^ch virtual image is univocally correlated 
to the logical program for simulating the operating 
unit or the plant structural element or the area or 
areas of the plant or the whole plant, the graphic 
program for generating the virtual image of each 

10 qp*rating unit and/or of each area and/or of the plant 
being such to generate several graphic aspect 
conditions of the operating unit, of the area or of the 
whole plant each of them is univocally correlated to a 
predetermined value of variables relevant to the 

15 operating condition of the operating unit or of the 
area or of the plant and/or of command variables for 
commutating or maintaining the iterating state of the 
operating unit or of the area or of the plant. 

6. A device according to one or more of the 

20 preceding claims, characterised in that the operation 
of the control and command logical program is further 
represented, in parallel or alternatively, as behaviour 
of the equivalent command hardware logic composed of a 
relay network, a program for simulating relay operation 

25 and a program for simulating relay network operation 
being provided, as well as graphic programs for 
representing relays univocally associated to each relay 
simulation program and to relay network graphic 
representation program. 

30 7. A device according to claim 6, characterised in 
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thai: each relay is simulated by a logical program of 
Boolean type, single state conditions of relays and/or 
commutation commands being represented by state or 
command variables and graphic programs being such to 
associate several relay graphic aspects univocally 
correlated to values assumed by said state or coxomand 
variables . 

8. A device according to one or more of the 
preceding claims, characterised in that it has means 
for scheduling and configuring images and/or state and 
coxmnand variable lists of virtual operating units 
corresponding to the desired or correct operation or 
state condition of the plant in conjunction with a 
predetermined operation situation, by providing means 
for checking, directly and visually, a correct 
operation in conjunction with automatic check means 
basing on the comparison between the nominal image and 
the nominal table or list of desired state and command 
variables previously scheduled and the image and state 
and command variables really processed during the 
operation of the control and command logic with the 
station plant virtual model, an error message being 
sent in case of non-identity. 

9. A device according to claim 8, characterised in 
that it has means for displaying graphically and/or 
analytically the operating unit or units that have 
assumed a non- correct condition and the corresponding 
state or command variable or variables. 

10. A device according to claims 8 or 9, 
characterised in that the automatic check means analyse 
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even tlie simalated representation means o£ the relay 
network. Indicating which relay or relays have not been 
coxmnutated in the correct condition and the 
corresponding commutation state or command variables. 
5 11. A device according to one or more of the 

preceding claims, characterised in that it provides 
automatic means that correct the control and command 
logical program basing on the possible corrections made 
by the user to state or commands variables manually 
10 modified in the presence of a state or command error of 
a virtual operating unit or of a relay in the 
corresponding command logical circuit formed by the 
plant or network relay virtual model. 

12. A device according to one or more of the 
15 preceding claims, characterised in that the 
modification means allow modification interventions 
both of alphanumeric type executed on report files of 
state or command variables, and interventions for 
graphically modifying the aspect of the operating unit 
20 or the relay corresponding to the state of said 
operating unit or of said relay, whereas analyse and 
interpretation means are provided which analyse state 
or command variable values manually set to correct the 
wrong values, analyse the control and command logical 
25 program and modify the code to commute the aerating 
unit or relay in the correct state condition when the 
operation condition occurs with which the control and 
coxmoand logical program had previously generated the 
error . 

30 13. A device according to one or more of the 
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preceding claims, characterised in tliat it craoprises 
means for associating operating units and plant 
structural elements to generate or to find areas of 
virtual station plant and the corresponding parts of 
5 the control and command logical program having typical 
plant structures that recur in several station plants, 
so as to load and reuse both the Boolean simulation 
programs, and graphic display programs as well as parts 
of control and command logical programs in new station 
10 plants having equal station areas. 

14. A device according to one or more of the 
preceding claims, chauracterised in that it has means 
for connecting and interfacing with validation and 
certification means based on the diversity of the 

15 program for generating the control and command logical 
program, such as a so-called Boolean algorithms 
checker. 

15. A device according to claim 14, characterised 
in that the Boolean checker coxnprises an additional 

20 program for generating the control and command logical 
program generated or memorized in the Boolean checker 
which additional control and command logical program is 
generated through means different than the one during 
the test step by means of plant simulation and means 

25 for coiqparing the additional control and command 
logical program generated or memorized in the Boolean 
checker with the control and ccmonand logical program 
during the test step by means of plant simulation to 
notice the identity between the two control and command 

30 logical programs. 





wo 2004/044788 



PCT/EP2003/050724 



64 



16. A device according to claim 15, diaracterlsed 
In tliat the comparison occurs at the Boolean equation 
system of the control and coamiand logical program 
generated or memorized In the Boolean checker and at 

5 the control and command logical program during the test 
step by means of simulation of the plant. 

17. A device according to claims 15 or 16, 
characterised In that the con^arlson occurs according 
to text reports by means of plant simulation of the 

10 control and command logical program during the test 
step and of the additional control and command logical 
program generated and/or memorized In the Boolean 
checker means being provided means for coxiiparing 
command and state variables of operating units and 

15 relays of the virtual relay network both from the 
numeric perspective and the graphic perspective. 

18. A device according to claim 17, characterised 
in that it coxnprises means the displaying, in a 
combined way, of graphic Images of plant state 

20 conditions obtained with the two control and command 
logical programs . 

19. A device according to claim 18, characterised 
in that it conprlses means for displaying, in an 
overlap way, plant layout Images according to the two 

25 control and comomand logical programs, in which 
overlapping of the plant state condition image the 
possible differences are graphically highlighted in a 
visually relevant way. 



30 preceding claims 15 to 19, characterised in that the 



20. A device according to one or more of the 
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two coxDparxson modes at the Boolean equation system and 
at report files of the test of control and command 
logical programs with the virtual plant are executed 
sequentially/ the result of the first comparison being 
5 a means to Identify the operating unit and/or the plant 
area and/or the Boolean equations wherein a difference 
has been noticed and It must be subjected to the second 
conparlson step. 



10 In that the comparison relevant to plant conditions 
obtained by the two control and command logical 
programs Is firstly executed and therefore It Is 
Identified on which parts of the program the conparlson 
actions can be limited with regard to the Boolean 

15 equation system to determine possible actions to 
correct the same or the debugging. 

22 . A device according to one or more of the 
preceding claims 15 to 21, characterised In that the 
Boolean checker analyses, basing on diversity, even 

20 logical programs for simulating the single operating 
units and/or the plant areas and/or the plant and/or 
the logical programs for simulating relays or relay 
network extending such check action, based on the 
diversity, of the generating program even to programs 

25 for graphically representing operating units or relays. 

23. A device according to one or more of the 
preceding claims, characterised In that It conprlses a 
network Interface and It may constitute a non-vital 
node of the railway plant, being a means for quickly 

30 modifying the control and command logical program and 



21. A device according to claim 20, characterised 



wo 2004/044788 PCT/EP2003/050724 

66 



for vir'bually validating the same, for instance in case 
of a structural modification of the plant by 
eliminating or adding plant elements. 

24. A device according to claim 23, characterised 
5 in that said device, alternatively or in conjunction, 

is a diagnostic or supervisory tool of the correct 
operation of the real station plemt, being provided a 
coioparator between the state condition that has been 
assumed by the real plant and the one that has been 
10 aasmed by the simulated plant. 

25. A device according to claims 23 or 24, 
characterised in that it is device for simulating 
emergency interventions before their application to the 
real plant, in the emergency event being possible to 

15 simulate several intervention or command possibilities 
of the plant to execute on the plant itself the among 
the possible choices the one that is the best solution. 

26. A device according to one or more of the 
preceding claims, characterised in that it comprises 

20 tools for executing simulating functions with a user 
interface of the type used by the Windows ® program 
soft Inc. and therefore it comprises operating windows 
with function buttons, quick choice menus and other 
fiinctionalities typical of said interface, in addition 

25 obviously to the use of mouse or of other pointers, 
selection and command input systems and the keyboard to 
input numerical data, such as to create or modify 
graphic images of operating units and/or of relays or 
of other parts of the plant structure. 

30 27. A device according to one or more of the 
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preceding claims, characterised on that it provide 
means for setting specific operating conditions of the 
plant or of anomalous situations and for checking the 
plant reactions referring to several operating 
5 environment. 

28. A device according to claim 27, characterised 
in that manually setting means are means provided by 
the personal inposing at the starting of the cycle for 
executing control and command logical program specific 

10 state conditions to the several operating units, being 
possible to provide by means of suitable scheduling 
even conditions wherein one or more operating units are 
not operating or operate in a anomalous way. 

29. A method for checking software logical engines 
15 for controlling and commanding plants such as railway 

plants, particularly station plants, con^rising at 
least a central processing unit and at least a memory 
for loading and executing programs: 

a logical engine for commanding a plant, 

20 particularly a station plant, being loaded or loadable 
in said memory for its execution, which plant comprises 
a plurality of actuating and/or detection and/or 
measurement and/or signalling operating units, so- 
called wayside equipments, which units are provided for 

25 receiving command signals and transmitting control 
signals as regards the operating condition, and which 
logical software engine reads control signals given by 
the actuating and/or detection and/or measurement 
and/or signalling iterating units and it processes 

30 command signals of said operating units basing on an 
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<qperating protocol o£ tlie system itself, 
characterised in that 

in the coxnputer memory a program for software 
simulating the plant that must be controlled and 
commanded by the control and command logical program is 
loaded or loadable and it can be executed by the 
conqputer itself and which simulating program reproduces 
exactly the plant structure and the operating modes of 
operating units provided in said plant. 

30. A method according to claim 29, characterised 
in that the simulation of the plant structure and of 
the operating units associated thereto, such as track 
circuits to note the train presence, switch points 
actuators, signalling actuators and other different 
units is represented in the simulating program by 
Boolean algorithms, variables associated to said 
algorithms being univocally defined to represent 
control signals of various state or operation 
conditions of various operating units and commutation 
command signals of state or operating conditions of 
said various operating units and/or the maintenance 
thereof . 

31. A method according to claims 29 or 30, 
characterised in that the image of the behaviour of the 
virtual plant under the control of the control and 
command logical program is displayed as variables list 
univocally associated to various operating units as 
report files wherein various operating units and 
associated state or command variables are listed. 

32. A method according to one or more of the 
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preceding claims 29 t:o 31, cbaracterised in that: it: 
provides the setting by the user of starting operating 
conditions of the plant and/or even anomalous setting 
situations of plant operating units to check the 
5 reaction of the plant to these conditions. 

33. A method according to one or more of the 
preceding claims 29 to 32, characterised in that a 
virtual image of the operating unit and/or the plant 
structural element can be univocally associated to each 

10 plant operating unit and/or to each relevant structural 
element which image is generated by a graphic program 
loaded or loadable and/or executable by the computer 
and which virtual image is univocally correlated to the 
simulating logical program of the operating unit or of 

15 the plant structural element the graphic program for 
generating the virtual image of each operating wit 
being such to generate several conditions of graphic 
aspects of the operating unit, each of them is 
univocally correlated to a predetermined value of 

20 variables relative to the operating condition of the 
operating unit and/or commutation or maintenance 
command variables of the operating state of the 
operating unit itself. 



25 in that the operation of the control and command 
logical program is further represented in parallel or 
alternatively as behaviour of the equivalent command 
hardware logic conposed of a relay network, being 
provided a simulating program of relays operation and a 

30 sizmilating program of relay network operation, as well 



34. A method according to claim 33, characterised 
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as graphic programs for represenUng relays unlvocally 
associated to each relay simulation program and relay 
network graphic representation program. 

35. A method according to claim 34, characterised 
5 In that each relay Is simulated by a logical program of 

Boolean type. Individual state conditions of relays 
and/or commutation commands being represented by state 
or coimiand variables and graphic programs being such to 
associate several graphic aspect of relays unlvocally 
10 correlated to values assumed by said state or coxmnand 
variables . 

36. A method according to one or more of the 
preceding claims, characterised In that the display of 
the functional behaviour of the plant Is executed 

15 according to two modes and I.e. In the shape of report 
file that displays values of state variables generated 
by the programs processed by the simulation logical 
programs of operating units and In the shape of graphic 
representation of the operating condition of operating 

20 units allowing to check In details the operating units 
of the plant and therefore the operation modes thereof 
both In an analytic way and In a direct visual way of 
the physical operation condition. 



25 preceding claims , characterised on that It provide 
means for setting specific operating conditions of the 
plant or of anomalous situations and for checking the 
plant reactions referring to several operating 
environment . 

30 38. A method according to claim 37, characterised 



37. A method according to one or more of the 
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±n tha'b settings can be executed by the personal 
Imposing at the starting of the cycle £or executing the 
control and command logical program specific state 
conditions to the several operating units, being 
5 possible to provide by means of suitable scheduling 
even conditions wherein one or more operating units are 
not operating or operate in a anomalous way. 

39. A method according to claim 37, characterised 
in that it provides the scheduling and the 

10 configuration of images and/or state and command 
variables of virtual operating units corresponding to 
the desired or correct operation or state condition of 
the plant in conjunction with a predetermined situation 
of operation and the execution of the direct and visual 

15 check of correct operation as well as the execution of 
an automatic check based on the coxoparison between the 
nominal image and the nominal table or list of desired 
state and command variables previously scheduled and 
the image and state and command variables really 

20 processed during the operation of the control and 
command logic with the station plant virtual model, an 
error message being sent in case of non-identity. 

40. A method according to claim 39, characterised 
in that the automatic check provides graphic and/or 

25 analytic display of the operating unit that has assumed 
a non-correct condition and the corresponding state or 
command variable or variables and/ or graphic and/or 
analytic display of state variables of the relay 
network simulated. 

30 41. A method according to one or more of the 
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preceding claims 9 to 40, csharacterlaed in that; it 
provides automatic tools correcting the control and 
coHsand logical program depending on possible 
corrections made by the user to state or command 
5 variables manually ^aodified in the presence of a state 
or command error of a virtual operating unit or of a 
relay in the corresponding cOTomand logic circuit 
constituted by the relay network virtual model. 

42. A method according to claim 41, characterised 
10 in that it provides the execution of modification 

interventions both of alphanumeric type executed on 
report files of state or coxnmand variables, or graphic 
interventions for modifying the aspect of the operating 
unit or of the relay corresponding to the state of said 

15 operating unit or of said relay said data being 
interpreted by a correction program that analyses state 
or command variables values manually set to correct 
those wrong, and that analyses the control and c^omand 
logical program and modifies the colour to commutate 

20 the operating unit or the relay in the correct state 
condition with the same operation condition in presence 
of which the control and coxmnand logical program had 
previously generated the error. 

43. A method according to one or more of the 
25 preceding claims, characterised in that it provides the 

read in of areas of the virtual station plant and the 
corresponding parts of the control and command logical 
program having typical plant structures that recur in 
various station plants, to load and reuse both Boolean 
30 simulation programs, and graphic display programs as 
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well as parts of the control and command logical 
program In new station plants having equal station 
areas. 

44. A method according to one or more of the 
5 preceding claims, characterised in that it provides the 
alternative or parallel execution of a check of the 
control and command logical program during the test 
step with the plant simulator by means of a Boolean 
checker that generates with diversity principles, or 

10 wherein is memorized, a control and command logical 
program generated with diversity principles and that 
conpares the control and command logical program during 
the test step by means of virtual plant simulation with 
the one generated with diversity criterions. 

15 45. A method according to claim 44, characterised 

in that it provides a fijrther program for generating 
the control and command logical program object of test 
by means of plant simulation, which generating program 
<^>erates according to a code different from that with 

20 which has been generated the control and command 
logical program during the test by means of virtual 
plant, the two control and command logical programs 
being coshered by the Boolean checker to identify 
difference in the Boolean equation system. 

25 46. A method according to claim 44, characterised 

in that in addition or alternatively the control and 
command logical program generate by the checker or 
memorized therein is subjected to a test step by means 
of virtual plant, being coiqpared the results obtained 

30 by the two control and command logical programs. 
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47 A method according to one or more of claims 44 
to 46, diaracterised in that it provides the display, 
both in the shape o£ comparative tables o£ variables 
and in the shape of graphic con^arisons , of the 
5 operation differences of the two control and command 
logical programs generated according to diversity 
cr iter ions and/or of the two relay networks 
corresponding to the two Boolean equation systems, 
being highlighted the variables and the graphic states 
10 respectively that are different one with respect to the 
other both in the variable comparison and in the 
graphic comparison. 

48. A method according to claim 47, characterised 
in that it provides the overlap of graphic images of 

15 the plant state conditions obtained by the two control 
and command logical programs, being graphically 
highlighted the possible differences in this overlap of 
the image of the plant state condition. 

49. A method according to one or more of claims 44 
20 to 48, characterised in that it provide the execution 

alternative or in turn of the two modes for coxnparing 
the two control and command logical programs at the 
Boolean equation system and at the result of the test 
execution on the simulated virtual plant being also 
25 possible to modify the sequence order of the two 
different comparison modes. 

50. A method according to claim 49, characterised 
in that it provides the following comparison steps: 

Firstly executing the coxqparison in relation to 
30 the plant conditions obtained by the two control and 
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cosmand logical programs ; 

Basing on aald comparison identifying on which 
parts of the program the subseqaent comparison actions 
can be limited; 

5 Executing the comparison in relation to the 

Boolean equations of the two control and command 
logical programs only for the equations that caused the 
functional divergences that have been found in the 
first comparison step; 
10 therefore executing the possible correction 

actions thereof or the debugging enquires (error 
detection) on said Boolean equations identified as 
responsible for the different behaviour of the plant. 

51. A method according to one or more of the 
15 preceding claims 44 to 50, characterised in that the 

actions for the comparison with a program generated 
according to a different generating code are executed 
also in relation to logical programs for simulating the 
individual operating units and the plant structure as 
20 well as at logical programs for simulating relays and 
relay network and in case such check action may be also 
extended to the graphic representation programs of the 
operating units or of relays. 

52. A method according to one or more of the 
25 preceding claims 44 to 51, characterised in that it 

conprises parallel means for certificating the control 
and command logical program consisting in a further 
independent program that executes in parallel the test 
of the same Booleans equation system constituting the 
30 control and command logical program to execute a double 
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test by means o£ tbe railway plant slzmilatxon, the 
behaviour of the sianilated plant dbtalned under the 
control of the control and command logical program In 
the two separated and parallel check tests being 
5 catapaxBd and alert or error files being generated in 
case of difference. 

53. A method according to one or more of the 
preceding claims 44 to 52, characterised in that it 
con^rises a step for aerating connection to devices or 

10 remote networks to command the test functions form a 
remote workstation and/or to execute alternative 
functions as functions of non vital node of railway 
plant. 

54. A method according to claim 53, characterised 
15 in that i^ is used for a modification to update a 

control and command logical program and for the virtual 
functJ.onal test thereof in case of structural 
modification of the plant. 

55. A method according to claims 51 to 54, 
20 characterised in that it is used for the supervision or 

the diagnostic of the correct operation of the real 
station plant, by executing a comparison between the 
state condition assumed by the real plant and that 
assumed by the simulated plant. 

25 56. A method according to one or more of the 

preceding claims 50 to 55, characterised in that it is 
used as a virtual emergency simulator for intervention 
or command possibility of the real plant to realize on 
the plant itself only the choice that offers the best 

30 solution among the possible choices. 
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57. A meUiod according 1:o one or more of the 
preceding claims 29 to 55, characterised in that it 



with an user Interface of the type used by Windows ® 
5 program by Microsoft Inc. and hence conqprising 
operating windows with function buttons, quick choice 
menus and other functionalities typical of said 
interface, in addition obviously to the use of the 
mouse or of other pointing means, selection and 

10 inputting of commands and the keyboard to input 
numerical, alphanumerical data, and/or numerical or 
alphanumerical commands, such as also to create or 
modify graphic images of operating units and/or of 
relays or of other parts of the plant structure. 

15 58. A program for a coioputer provided to verify a 

logical program for controlling and commanding a plant, 
particularly railway plant by means of application on a 
simulated railway plan that is provided to execute the 
method steps according to one or more of the preceding 

20 claims 29 to 57 or to be loaded in the computer to form 
a device according one or more of the preceding claims 



conprises a program for executing simulation functions 



1 to 28. 



